Speeding-Up Verification of Digital Signatures Abdul Rahman Taleb, Damien Vergnaud

To cite this version:

Abdul Rahman Taleb, Damien Vergnaud. Speeding-Up Verification of Digital Signatures. Journal of Computer and System Sciences, Elsevier, 2021, 116, pp.22-39. 10.1016/j.jcss.2020.08.005. hal- 02934136

HAL Id: hal-02934136 https://hal.archives-ouvertes.fr/hal-02934136 Submitted on 27 Sep 2020

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Speeding-Up Veriﬁcation of Digital Signatures

Abdul Rahman Taleb1, Damien Vergnaud2,

Abstract In 2003, Fischlin introduced the concept of progressive verification in cryptography to relate the error probability of a cryptographic verification procedure to its running time. It ensures that the verifier confidence in the validity of a verification procedure grows with the work it invests in the computation. Le, Kelkar and Kate recently revisited this approach for digital signatures and proposed a similar framework under the name of flexible signatures. We propose efficient probabilistic verification procedures for popular signature schemes in which the error probability of a verifier decreases exponentially with the verifier running time. We propose theoretical schemes for the RSA and ECDSA signatures based on some elegant idea proposed by Bernstein in 2000 and some additional tricks. We also present a general practical method, that makes use of efficient error-correcting codes, for signature schemes for which verification involves a matrix/vector multiplication.

Keywords: Public-Key Cryptography, Digital Signatures, Probabilistic Veriﬁcation, RSA Signatures, ECDSA Signatures, GPV Signatures

1. Introduction

It is common in public-key cryptography, that parties need to repeatedly verify equations that ensure the validity of some input (e.g. for digital signature schemes, commitment schemes, or proof systems). In 2003, Fischlin [21] introduced the idea of progressive verification in cryptography to relate the error probability of a verification procedure to its running time. This concept overcomes the property that a verifier remains oblivious about the validity of a verification procedure until it is actually completed. Fischlin’s approach ensures that the verifier confidence grows with the work it invests in the computation. Digital signatures are arguably the most important cryptographic primitive and fast signature verification is extremely desirable in many applications (especially for numerous low computation scenarios such as RFID, wireless sen- sors or smart cards). Therefore, as explicitly mentioned in Fischlin’s work,

Email addresses: [email protected] (Abdul Rahman Taleb), [email protected] (Damien Vergnaud) 1Sorbonne Université, CNRS, LIP6, Paris, France and CryptoExperts 2Sorbonne Université, CNRS, LIP6, Paris, France and Institut Universitaire de France

Preprint submitted to Elsevier September 24, 2020 it is interesting to find non-trivial signature schemes in which the underlying number-theoretic function is somewhat progressively verifiable. In a digital signature protocol with progressive verification, the goal is to design a probabilistic verification procedure (in addition to the classical deterministic verification algorithm) that takes as input a message m, a public-key vk, a putative digital signature σ on m for vk, and a timing parameter τ and outputs some real number α ∈ [0, 1] (or the special symbol ⊥ if σ is detected as invalid). The progressive verification algorithm never rejects valid signatures and α represents its confidence level on the signature validity. This algorithm can be seen as a probabilistic method to spot flawed signatures faster than using the classical deterministic verification algorithm. The progressive verification procedure is sound if it accepts any invalid signature with probability at most α (over the random choices of the verification procedure). Recently, Le, Kelkar and Kate recently revisited Fischlin’s concept for digital signatures (under the name of flexible signatures) [41]. They presented a progressive probabilistic verification for the classical one-time signatures of Lamport. The goal of this paper is to present efficient and secure progressive verification procedures for popular signature schemes (including RSA, ECDSA and GPV signature schemes).

1.1. Prior Work Digital signatures are a cryptographic mechanism used to verify the authen- ticity and integrity of digital data. They allow a signer who has established a public verification key to sign a message such that any other party can verify that the message originated from the signer and was not modified in any way. This primitive is of paramount importance for building secure systems and are used in most real-world security protocols. However, for most signature schemes, many computation devices with limited computation power are not able to perform signature verification which is both time and power consuming. Many techniques have been suggested over the years to decrease the computational overhead of signature verification. A lot of work in cryptography has been devoted to design schemes allowing to perform expensive tasks in batch rather than individually to achieve better efficiency. For instance, in order to speed up the verification of several signatures, Bellare, Garay and Rabin [4] proposed batch verification to securely verify a set of digital signatures. For the verification of individual signatures, the concept of server-aided verification was proposed by Quisquater and de Soete [45] for speeding up RSA verification with a small exponent. Protocols for signature schemes were subsequently proposed and Girault and Lefranc formalized the concept in [29]. This paradigm allows signatures to be verified by executing an interactive protocol with an untrusted server which requires less computation than the original verification algorithm of the digital signature. For all these verification procedures, a verifier performs a certain number of verification steps and finally outputs a decision; the error probability of this decision is usually null or at most negligible. However, if a verification algorithm is stopped after some computation steps but before its end, the algorithm usually cannot predict the result better than before the start of computation.

2 error error error probability probability probability

time time time all-or-nothing linear progressive progressive verification verification verification

Figure 1: Principle of Progressive Veriﬁcation

In [21], Fischlin called this all-or-nothing verification: in order to give a reliable decision one must run the full verification procedure (see Figure 1, left part). Fischlin introduced the idea of progressive verification with the goal to relate the error probability of the decision to the running time of the verifier. As shown in Figure 1 (right part), one wants the error probability of the verifier’s decision to decrease quickly with the number of performed steps of the verification procedure. Fischlin focused on message authentication codes in [21] and hash chains in [22] and left open the problem of designing signature schemes in which the underlying number-theoretic function is progressively verifiable. As mentioned above, Le, Kelkar and Kate [41] showed that the classical one-time Lamport signature scheme [40] is suitable for progressive verification in which the error probability of the verifier’s decision decrease linearly with the number of performed steps of the verification procedure. Indeed, in this signature scheme, a verifier validates a signature by checking whether k (independent) equations hold (where k is the length of the signed message), and the progressive verification procedure consists in checking each equation in a random order. In the following, we will use the term linear progressive verification for such schemes that run atomic verification of independent computation in a random order and for which the error probability thus decreases linearly with its number of sequential executions (see Figure 1, middle part). They also proposed a (linear) progressive verification scheme for Merkle tree signatures [43]. This idea of using intermediate values of the computation has also been used in the context of verification of hash chains before (see e.g. [34, 35, 36, 37] and references therein). Many identification protocols proceeds in sequential rounds such that in each round a cheating prover will be caught with some small probability, say, 1/2 or 2/3 (e.g. [19] in factoring-based cryptography, [49, 50] in code-based cryptography, [39] in lattice-based cryptography or [46] in multivariate cryptography). Repeating the protocol permits to reduce the soundness error of these identification systems. Fischlin already noted in [21] that using the Fiat-Shamir heuristic [20], we obtain digital signature schemes suitable for linear progressive verification. These resulting signature schemes are often less efficient (in computational complexity or communication complexity) than other schemes based on

3 similar assumptions, but which do not support the linear progress of verification (e.g. [32] in factoring-based cryptography, [16] in code-based cryptography, [42] in lattice-based cryptography and [44] in multivariate cryptography). The latter schemes often significantly outperform the former ones even with probabilistic verification. In their paper, Le et al. mentioned that lattice-based signature schemes such as GPV signatures [27] are also good candidates for progressive verification. Indeed, for this scheme, the public verification key is a matrix, a signature is a vector and verification consists in a matrix/vector multiplication. Le et al. outlined a progressive verification method in which one checks the validity on each row of the matrix (in a random order) but again the error probability of the verifier’s decision decreases only linearly with the verifier computation time. Finally, they also claimed that “prominent traditional signature schemes such as RSA, (EC)DSA seem unsuitable towards building flexible signatures”.

1.2. Contributions of the Paper We revisit the concept of progressive verification for digital signatures, with the goal to propose efficient probabilistic verification procedures for popular signature schemes in which the error probability decreases exponentially with the number of verification steps (see Figure 1, right part). We present three techniques for such progressive verification of important digital signature schemes based on the RSA primitive, on the discrete logarithm problem on elliptic curves (and in particular ECDSA) and on GPV signatures and variants where the verification procedure consists in a matrix/vector multiplication.

1.2.1. RSA signatures The RSA signature is one of the most elegant and well-known signature schemes. It is extensively used in a wide variety of applications, and serves as the basis of several existing standards. The public key is a pair (N, e) where N is an integer (of unknown factorization) and e is an integer coprime with ϕ(N) (the Euler totient function of N); a signature of a message m is an element σ ∈ ZN such that σe ≡ H(m) mod N (1) where H is an appropriate hash function that maps messages of arbitrary length to elements in ZN . In [6], a paper that predates Fischlin’s paper [21], Bernstein proposed an elegant verification procedure for Rabin signatures which can be seen as probabilistic verification. In Rabin signatures, the verification equation is roughly speaking (1) but with e = 2; in this case, one can add to the signature the integer k such that σ2 = H(m)+kN (and adding this element does not decrease the security since it can be computed easily from the signature σ). Using classical techniques, one can then check the validity of this equation over Z by mapping it to a random quotient ring Zp of Z for some prime number p. To increase its confidence, a verifier can simply map the equality to enough quotient rings and the error probability decreases exponentially with the number of tested prime

4 numbers. Since, in this case, we have e = 2 in (1), the integer k is smaller than N and the signature size is at most doubled. A naive approach for RSA signatures (already mentioned by Wagner in [53]), is to add to the signature the integer k such that σe = H(m) + kN and then check this equality modulo small prime numbers. This approach is only suitable for very small public exponents e since the integer k is close to N e−1 and thus the signature size is multiplied by e. As a first example of a signature scheme with progressive verification, we present a variant of the RSA signature based on Bernstein’s technique where the signature size is multiplied only by a factor O(log(e)). It relies on a simple trick and serves as an introduction to the primitive. It is worth mentioning that this verification technique to the so-called RSA Full Domain Hash signature scheme [5] can also be applied to other paddings (e.g. RSA-PSS [5]) and variants of RSA in the standard security model (i.e. without the random oracle heuristic assumption, e.g. Cramer-Shoup signatures [14]). This construction is mainly of theoretical interest since, even if it achieves a good efficiency improvement in the verification procedure, the increase of the signature size makes it useless in most practical settings where the additional power consumption for reading the signature outweighs the efficiency gain.

1.2.2. ECDSA signatures The Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) [38] are efficient digital signature schemes which produce (reasonably) short signatures and whose securities rely on the discrete logarithm problem in their respective underlying groups. Due to its small key size, thanks to the (assumed) stronger difficulty of this problem on elliptic curves, ECDSA has a fast signing algorithm and is therefore used in many standard cryptographic libraries and in cryptocurrencies. For a security parameter λ, ECDSA signatures have size O(λ) bits and their verification requires O(λ) operations in the underlying finite field Fq with log(q) = O(λ). This gives an overall binary 3 3 complexity O(λ ) (i.e. without using fast arithmetic in Fq) for verification which is asymptotically faster than the O(log(e)λ6) binary complexity for RSA verification (for which the key size is cubic in the security parameter). How- ever, in practice for λ = 128 and small public exponent e, RSA verification is faster than ECDSA verification. It is thus interesting to propose an efficient progressive verification procedure for ECDSA. A natural approach is to use Bernstein’s idea from [6] and to consider all equalities that occur in an ECDSA verification over the ring Z instead of over Zq. It is indeed possible to combine readily this idea with our trick introduced for RSA progressive verification for models of elliptic curves where the group arithmetic does not involve division in the ring Zq. These elliptic curve models are the most widely used in cryptography since it is usually too costly to compute inverses in Zq. We present a more efficient approach using the clas-

3Using fast arithmetic, the veriﬁcation algorithms have bit complexity O˜(λ2) for ECDSA and O˜(log(e)λ3) for RSA (where the O˜ notation “ignores” logarithmic factors).

5 sical Weierstrass affine model of elliptic curves. In this case, the group law on the elliptic curve requires the computation of inverses modulo q and it is not clear how to handle these equations in the ring Z and its quotient rings Zp for small prime numbers p. Indeed, for a small prime p, a random element in {1, . . . , q − 1} will not be invertible modulo p with probability close to 1/p. We present a progressive verification scheme for ECDSA signature with bit complexity O(τ log(p)λ2) where the probability error decreases exponentially with τ, and log(p) is much smaller than λ. The signatures generated have size O(λ2) bits (e.g. still asymptotically shorter than RSA signatures) and their security is identical to the security of original ECDSA signatures. As for RSA, our technique is generic and can be applied to many elliptic-curve based digital signatures (e.g. Schnorr signatures [47]) and is also mainly of theoretical interest (since the increase of the signature size outweighs the efficiency gain).

1.2.3. GPV signatures and variants In 2008, Gentry, Peikert and Vaikutanathan [27] proposed a lattice-based signature scheme with strong security guarantees and good asymptotic efficiency. n×m Given some integers p, n, m, the public key is a basis A ∈ Zp of a random m lattice Λ; a signature of a message m is a "short" vector ~σ ∈ Zp such that: A · ~σ = H(m) (2) where H is an appropriate hash function that maps messages of arbitrary length n to elements in Zp . Checking that ~σ is “short” can be done efficiently and the most time-consuming operation in GPV signature verification is checking whether (2) holds. As mentioned above, it consists therefore in performing a matrix/vector multiplication in Zp and one can obtain a linear progressive verification procedure by checking each row of (2) in a random order. As the main contribution of the paper, we propose a progressive verification scheme for GPV signatures. In randomized computation, Freivalds’ algorithm [24] is a well-known probabilistic algorithm used to verify (square) matrix mul- n×n tiplication: given three matrices A, B and C in Zp , the algorithm checks whether A·B = C in time4 O(τn2) for some parameter τ (with error probability −τ n bounded by 2 ). It simply picks uniformly at random τ vectors ~r1, . . . , ~rτ ∈ Zp and computes successively ~si = B~ri, t~i = A~si = (A · B)~ri and ~ui = C~ri for i ∈ {1, . . . , τ}. and accepts if and only if t~i = ~ui for all i ∈ {1, . . . , τ}. This approach does not seem applicable to check our matrix/vector multiplication (at least without doing some off-line pre-computation5).

4 2.3729 i.e. faster than computing AB with requires O(n ) operations in Zp using the best known matrix multiplication algorithm [54]. 5Added in proof. Recently, Boschini, Fiore and Pagnin [11] revisited flexible signatures from [41] . They proposed another way to speed up the verification process of lattice-based signatures (similar to Freivalds’ algorithm [24]). It requires (secret) pre-processing from the verifier (that can be re-used an unbounded number of times). The verifier has to store some secret verification key (different for each signer public key) but the resulting verification procedure is then very efficient.

6 Instead, our approach makes use of error-correcting codes and in particular of (`, n, δ`)-linear codes which minimum distance satisfies the Gilbert-Varshamov Bound. The new progressively verifiable signature scheme does not modify the signatures (and in particular does not increase their size) but modifies the public `×n key (and increases its size). We consider G ∈ Zp a generator matrix for some linear code over Zp with ` > n. The new public key consists in the two matrices `×m `×n G · A ∈ Zp and G ∈ Zp . Instead of checking whether (2) holds, the verification procedure checks the equality

(GA) · ~σ = G ·H(m) (3) which obviously holds if (2) holds (and conversely (2) holds if (3) holds and G is of full rank). This approach makes the complete verification of (3) costlier than the one of (2) but allows for progressive verification. Indeed, if the code generated by G is a “good” error-correcting code then it has no non-zero codewords of “small” Hamming weight (i.e. with a “large” number of null coordinates ~ in Zp). Therefore, if A · ~σ − H(m) 6= 0, then the vector G · (A · ~σ − H(m)) has a “large” number of non-zero coordinates and checking that a “sufficiently large” set of rows in (3) coincide ensures with “good” probability that (3) holds for all rows (and thus that the signature is valid). Using reliable and probabilistic constructions of (`, n, δ`)-linear codes, we can make all these statements mathematically precise and improve significantly the efficiency of GPV signature verification. This approach is actually very general and can be used to improve the efficiency of other cryptographic operations which involve a matrix/vector multiplication. In particular, we show how our technique improves also the verification procedure of the recent signature scheme called Wave and proposed by Debris-Alazard, Sendrier and Tillich in [16].

1.3. Organization of the Paper The rest of the paper is organized as follows. In Section 2, we briefly describe the model assumed in our paper and provide some notation used throughout it. Section 3 presents and analyzes our RSA-based progressively verifiable signature scheme based on Bernstein’s idea from [6]; it also contains efficiency analysis and implementation results. In Section 4, we recall some standard facts on elliptic curve arithmetic and we present our variant of ECDSA signatures with progressive verification; it ends with efficiency analysis of our new scheme. Section 5 recalls needed facts on GPV and Wave signature schemes, on the probabilistic construction of (`, n, δ`)-linear codes suitable for our needs that satisfies the Gilbert-Varshamov Bound, and presents the new verification scheme together with a mathematical analysis of its security and efficiency. This section ends with a brief performance analysis and comparison to basic verification procedure for these two signature schemes. We conclude the paper with a few open problems for future research in Section 6.

7 2. Preliminaries

2.1. Notations We denote the security parameter by λ ∈ N which is given to all algorithms in the unary form 1λ. Algorithms are randomized unless otherwise stated, and PPT stands for “probabilistic polynomial-time,” in the security parameter. We denote random sampling from a ﬁnite set X according to the uniform distribution with x ←−$ X. We also use the symbol ←−$ for assignments from randomized algorithms, while we denote assignment from deterministic algorithms and cal- culations with the symbol ←. If n is an integer, we write Zn for the ring Z/nZ. ∗ We let Zn the invertible elements of Zn. As usual, f ∈ negl(λ) denotes a function that decreases faster than the inverse of any polynomial in λ; such functions are called negligible. In the following, implementation and timings are provided for the diﬀerent signature schemes. All implementations were run on a laptop computer (In- tel(R) Core(TM) i7-8550U CPU, 1.80GHz with 4 cores) using Ubuntu operating system and various cryptographic libraries.

2.2. Progressive Verification of Signatures In this section, we recall the syntax of digital signatures and the notion of (strong) existential unforgeability. Note that all schemes used in this work are proven existentially unforgeable under standard complexity assumptions (in the random oracle model or in the generic group model). Formally, a digital signature scheme consists of three algorithms, namely the key generation algorithm, the signing algorithm and the verification algorithm. Definition 1 (Digital signatures). A digital signature scheme Σ is a triple of PPT algorithms Σ = (KeyGen, Sign, Verify) such that: • The key generation algorithm KeyGen, on input security parameter 1λ, $ generates a key pair (sk, vk) ←− KeyGen(1λ); sk is called the (secret) signing key and vk is called the (public) verification key; • the signing algorithm Sign, on input a signing key sk and a message m ∈ $ {0, 1}∗, outputs a signature σ ←− Sign(sk, m); • the (deterministic) verification algorithm Verify, on input a verification key vk, a message m ∈ {0, 1}∗, and a bit string σ, outputs a bit b ← Verify(vk, m, σ),

$ and the scheme Σ satisﬁes the following correctness property: ∀λ ∈ N, ∀(sk, vk) ←− $ KeyGen(1λ), ∀m ∈ {0, 1}∗, ∀σ ←− Sign(sk, m), then Verify(vk, m, σ) = 1. If for some veriﬁcation key vk, some message m ∈ {0, 1}∗ and some bit-string σ ∈ {0, 1}∗, we have Verify(vk, m, σ) = 1 then σ is called a signature on m for vk.

8 Remark 1. It is worth noting that in most existing works, the verification algorithm is assumed to be deterministic. We use the same approach in this work even if our definitions and techniques can be applied to digital signature schemes with probabilistic verification as defined in [23]. We recall the strong6 EUF-CMA security notion:

Deﬁnition 2 (Strong EUF-CMA Security). A digital signature scheme Σ = (KeyGen, Sign, Verify) is strongly secure against existential forgeries in a chosen- message attack (strongly EUF-CMA-secure) if the advantage of any PPT adversary A against the EUF-CMA game deﬁned in Figure 2 is negligible:

EUF h A i AdvA,Σ(λ) = Pr EUFΣ (λ) = 1 ∈ negl(λ).

A EUFΣ (λ): Sign(m): L ← ∅ σ ←−$ Σ.Sign(sk, m) (sk, vk) ←−$ Σ.KeyGen(1λ) L ← L ∪ {(m, σ)} (m∗, σ∗) ← ASign(·),Verify(·,·),H(·)(1λ) return σ ∗ ∗ if (m , σ ) 6∈ L Verify(m, σ): return Σ.Verify(vk, m∗, σ∗) return Σ.Verify(vk, m, σ) return 0

Figure 2: Strong EUF-CMA experiment for digital signature schemes.

Given two functions t : N → N and : N → [0, 1], we also deﬁne a (t, )- EUF-CMA-adversary as a probabilistic algorithm A for which the expected run- A ning time of the experiment EUFΣ (λ) is upper-bounded by t(λ) and its advan- EUF tage AdvA,Σ(λ) is lower-bounded by (λ).

We now give the syntax of digital signatures with probabilistic verification. Note that our definition differs from the definition of flexible signatures from [41]. Our security definition for the progressive verification is statistical rather than computational in [41]. For that reason and to avoid confusion between the two primitives, we use the name put forth by Fischlin in his seminal work [21].

Definition 3 (Digital signatures with progressive verification). A digital signature scheme with progressive verification Σ is a 4-tuple of PPT algorithms Σ = (KeyGen, Sign, Verify, ProgVerify) such that: • Σ = (KeyGen, Sign) is a correct digital signature scheme;

6In contrast to the weak version, the adversary is allowed to forge for a message that they have queried before, provided that their forgery is not an oracle response.

9 • the (probabilistic) progressive verification algorithm Verify, on input a verification key vk, a message m, and a bit string σ, and some timing param- $ eter τ outputs α ←− ProgVerify(vk, m, σ, τ) where α is either a real number in [0, 1] or the special symbol ⊥, with the following properties: 1. if for some verification key vk, some message m ∈ {0, 1}∗, some bit-string σ ∈ {0, 1}∗, and some timing parameter τ, ProgVerify(vk, m, σ, τ) outputs ⊥ then we have Verify(vk, m, σ) = 0 ( i.e. σ is not a signature on m for vk). 2. if for some verification key vk, some message m ∈ {0, 1}∗, some bit-string σ ∈ {0, 1}∗ and some timing parameter τ, ProgVerify(vk, m, σ, τ) outputs α then Verify(vk, m, σ) = 0 with probability at most 1 − α (taken over the random coins of ProgVerify). With our definition, the progressive verification algorithm never rejects valid signatures. When this algorithm ProgVerify(vk, m, σ, τ) outputs some real number α ∈ [0, 1], α represents its confidence level on the signature validity: when α = 0, the progressive verification algorithm has no information on the validity of σ as a signature of m for vk whereas for α = 1, we have Verify(vk, m, σ) = 1 with certainty. This model of progressive verification with “one-sided error” is reminiscent of the probabilistic complexity class RP and Monte-Carlo al- gorithms7. We can see this definition as a method to spot flawed signatures prematurely. As mentioned in the introduction, a digital signature scheme with progressive verification is interesting if it is secure against existential forgeries in a chosen-message attack and if rejecting invalid signatures grows with the performed work. In the schemes we present in the rest of the paper, we will obtain constructions where α = 2−Ω(τ) (i.e. in which the error probability decreases exponentially with the timing parameter).

3. RSA Signatures

3.1. Description In this paragraph, we first recall the description of the classical RSA Full Domain Hash (RSA-FDH) signature scheme from [5]. It achieves EUF-CMA- security in the random oracle model assuming the so-called RSA computational assumption [5] (which is a stronger assumption than the difficulty of the integer factoring problem). Our description involves a security parameter λ ∈ N (following Definition 1); this integer λ represents the bit size of the RSA moduli generated but not

7Another possible approach is to consider signatures with progressive verification in which the progressive verification algorithm takes as input a confidence level and prematurely ter- minate the verification according to this level and then decide about validity of the given signature.

10 actually the security level of the signature scheme. To achieve a security level of κ security bits (i.e. a probabilistic adversary cannot break the RSA assumption and thus the scheme in expected time less than O(2κ)), we must choose at least λ = Ω(κ3) to prevent the best known factoring methods. The RSA-FDH signature scheme consists of the following procedures:

• KeyGen(1λ): In order to generate the keys, one picks uniformly at random two (λ/2)-bits prime numbers p and q, and defines the public modulus N = pq. Then, a public exponent e is chosen such that 1 < e < ϕ(N) and gcd(e, ϕ(N)) = 1, where ϕ denotes Euler’s totient function. The private key d is then computed as the modular inverse of e in Zϕ(N). The verification key is vk = (N, e, H) where H is a cryptographic hash function ∗ H : {0, 1} → ZN , while the signing key is sk = (N, d, H). • Sign(sk, m): To sign a message m ∈ {0, 1}∗, the signer computes the hash d value h = H(m) ∈ ZN , and outputs the signature σ = h mod N. • Verify(vk, m, σ): To determine the validity of a signature σ of a message m, one computes h0 = σe mod N and h = H(m). The signature is accepted if and only if h = h0. In this deterministic verification algorithm, the value h0 = σe mod N needs to be computed entirely before deciding on the validity of the signature. In fact, the verification is an all-or-nothing algorithm where no information is revealed before the complete exponentiation algorithm is executed. Our goal in the rest of this section is to provide a modified version of the RSA signature scheme where the verification is made progressive.

3.2. RSA Signatures with Progressive Veriﬁcation As mentioned in the introduction, our progressive scheme of the RSA-FDH signature uses the elegant idea proposed by Bernstein in [6]. To test whether an integer in Z is equal to 0, one simply tests if it is equal to 0 modulo small prime numbers. When verifying a signature σ of a message m, one tests that the equality σe = H(m) mod N holds. This can be rewritten as σe − H(m) = 0 mod N, which holds modulo an integer N of bit-length λ. With the trick from [6], a faster way to test the equality is to consider the quotient k of the Euclidean division of σe by N, and verify that c = 0 where c = σe − H(m) − k · N. This can be done fast by checking if c is divisible by a random prime p of bit-length equal to some parameter µ λ. Indeed, since c is an integer of bit-length e · λ, it cannot be divisible by more than de · λ/µe distinct primes of bit-length µ. By the prime number theorem (see below for a precise statement), it is known that the number of prime numbers of bit-length µ is roughly equal to 2µ/(2µ). For a random prime p smaller than 2µ, we thus have : e · λ Pr [c 6= 0 ∧ c = 0 mod p] ≤ (4) p prime, 2µ−1

11 This is the probability of accepting an invalid signature, when c = σe − H(m) − k · N 6= 0 but is divisible by the prime p which makes the equality c = 0 mod p hold. For large µ, this probability becomes negligible, and for progressive verification one can choose τ different random primes of length µ uniformly at random instead of one, to make this probability even smaller (namely upper- bounded by (eλ/2µ−1)τ ). If we consider for example RSA-2048 (i.e. with λ = 2048) with e = 216 + 1, choosing one prime of length µ = 32 would make the error probability as small as 2−4, and choosing τ primes makes it smaller than 2−4τ (which decreases exponentially with τ). However, the problem with this method is that the output signature needs to be (σ, k), where the bit-length of k is approximatively equal to (e − 1)λ, and for large values of e (typically for e ≈ N), outputting k in the signature becomes exponential in λ and totally impractical. For this reason, in our proposed modified signature scheme, we use an additional trick by extending the signature with all the intermediate values of σi and ki which appears in the “square-and-multiply” algorithm performed during the computation of σe mod N. The modified signature scheme Progressive-RSA is described below. For simplicity, we consider only public exponents e of the form e = 2h + 1 for some parameter h (since these exponents are the most widely used and it makes the presentation simpler). However, our scheme can be readily generalized to any public exponent by considering any addition chain for computing e. • KeyGen(1λ): The procedure is the same as the key generation for classical RSA-FDH signature. The verification key is vk = (N, e, H) with e = 2h +1 for some parameter h and H is a cryptographic hash function H : {0, 1}∗ → ZN , while the signing key is sk = (N, d, H). • Sign(sk, m): Given a message m, the algorithm first computes the classical d e RSA-FDH signature σ0 = H(m) mod N. It then computes σ0 mod N using the “square-and-multiply” algorithm, and stores the (2h+1) integers

k0 and {σi, ki}i∈[h], where ki and σi are respectively the quotient and 2 remainder of the Euclidean division of σi−1 by N for i ∈ [h] and kh+1 is the quotient of the Euclidean division of σ0 · σh by N . The algorithm n 2i o outputs the signature σ = (σ0, σ , ki , kh+1). i∈[h+1]

n 2i o • Verify(vk, m, σ): A signature σ = (σ0, σ , ki , kh+1) of a message i∈[h] 2 m is valid, if and only if σi−1 − σi − ki · N = 0 for all i ∈ [h] and 2 σ0 · σh − H(m) − kh+1 · N = 0.

In this scheme, each of the σi and ki are of bit-length λ at most. The signature length is then roughly 2(h + 1)λ. The verification algorithm is slightly faster than the verification algorithm of the RSA-FDH scheme (since it removes the Euclidean divisions and only requires ring operations in Z). The signing algorithm is slightly slower since it involves running the verification algorithm of RSA-FDH (but for e = 216 +1 for instance, the increase is marginal). The verification algorithm of this new scheme only involves ring operations in Z and one

12 can apply Bernstein’s idea from [6] to obtain Progressive-RSA(µ) a progressive verification scheme for RSA signatures (parameterized by some integer µ): • ProgVerify(vk, m, σ, τ): Given a putative signature σ of a message m for n 2i o vk parsed as σ = (σ0, σ , ki , kh+1), the algorithm picks uniformly i∈[h] at random a prime number pj of bit-length µ, sequentially for j ∈ [τ], 2 and checks whether σi−1 − σi − ki · N = 0 mod pj for all i ∈ [h] and 2 σ0 · σh − H(m) − kh+1 · N = 0 mod pj for j ∈ [τ]. If one equation does not λ τ hold, the algorithm returns ⊥; otherwise it returns α = 1 − . 2µ The advantages of the verification in this scheme, apart from the fact that it becomes progressive, is that the operations are all modulo primes of size much smaller than that of N. For a fixed error probability, there is clearly a trade-off between the size µ of the primes to generate and their number τ.

3.3. Security Analysis The following proposition claims that the previous digital signature scheme Progressive-RSA is not less secure than the RSA-FDH classic scheme: Proposition 1. Let t : N → N and : N → [0, 1], be two functions and let A be (t, )-EUF-CMA-adversary against Progressive-RSA. There exist B a (t0, )- 0 EUF-CMA-adversary against RSA-FDH with t = t + qS · TRSA-FDH.Verify where TRSA-FDH.Verify : N → N denotes the running time of the RSA-FDH.Verify ( i.e. 3 TRSA-FDH.Verify(λ) = O(λ )) and qS denotes the number of queries made by A to its signing oracle. Proof. The proof is straightforward. As mentioned above, the signing algorithm d Progressive-RSA.Sign first runs RSA-FDH.Sign to obtain σ0 = H(m) mod N for a message m and then runs the algorithm RSA-FDH.Verify (with no secret input) n 2i o to compute the full signature σ = (σ0, σ , ki , kh+1). Given a public i∈[h+1] key for the scheme Progressive-RSA, the algorithm B simply forwards it to the algorithm A. For each signing query made by A on a message mi for i ∈ [qS], B (i) d forwards it to its own signing oracle to obtain σ0 = H(mi) mod N for i ∈ [qS]. (i) The algorithm B runs RSA-FDH.Verify on each triple (vk, mi, σ0 ) for i ∈ [qS] to complete the full signature computation. Eventually A outputs a forgery (m?, σ∗) valid with probability at least (λ) and B can simply extracts a forgery ? ? ? ? ? ? ? n 2i ?o for m for RSA-FDH as σ0 if σ is parsed as σ = (σ0 , k0 , σ , ki ). i∈[h] Following the probabilistic analysis outlined above and using an explicit version of the prime number theorem, we can also easily show that the progressive verification is correct: Theorem 1. Let µ ∈ N with µ > 5. The digital signature scheme with progressive verification Progressive-RSA(µ) is correct ( i.e. it returns ⊥ only for invalid signatures and if it returns a real number α ∈ [0, 1] on input (vk, m, σ, τ) then σ is not a signature of m for vk with probability at most 1 − α).

13 1 − α 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 τ 1 3 5 7 9 11 13 15

Figure 3: Error probability for 2048-bit RSA signatures with µ = 12

Proof. For an integer x, we denote as usual π(x) the number of primes smaller or equal to x. For x ≥ 30, an explicit version of the prime number theorem [33, 15] proved by Dusart [17, p. 9]) ensures that 0.92x/ ln(x) < π(x) < 1.11x/ ln(x). µ µ µ−1 Therefore, if µ > log2 30 + 1, π (2 ) > 0.9 · 2 /(µ ln(2)) and π 2 < 1.11 · 2µ/2(µ − 1) ln(2). The number of primes in [[2µ−1, 2µ − 1]] is then at least 2µ/2(µ − 1). Given a putative signature σ of a message m for vk parsed as

n 2i o σ = (σ0, σ , ki , kh+1), i∈[h] σ is valid if and only if the following two conditions hold:

2 • σi−1 − σi − ki · N = 0 for all i ∈ [h]; 2 • σ0 · σh − H(m) − kh+1 · N = 0. Therefore, if σ is not valid, at least one equality out of these (h + 1) does not hold over Z. This inequality involves integers smaller than N 2 and as mentioned above its reduction in a quotient ring Zp for some prime number p is an equality for at most d2λ/µe primes of bit-length µ. Therefore, for each prime pi picked uniformly at random among all prime numbers of bit-length µ, the probability that the (h + 1) relations hold modulo pi if σ is invalid is upper-bounded by

2λ 2µ −1 µ − 1 · = · λ · 2−µ ≤ λ · 2−µ. µ 2(µ − 1) µ

Since the algorithm ProgVerify uses τ distinct primes of bit-length µ, the probability that an invalid signature is not detected by the verification algorithm is upper-bounded by (λ · 2−µ)τ and thus the real α = 1 − .(λ · 2−µ)τ output by the algorithm provides a correct confidence level for this signature scheme. It is worth mentioning that one can indeed conclude with certainty that the classical deterministic verification algorithm would also accept or reject a signature if one runs the progressive verification procedure modulo primes p1, ...p`

14 Q` such that i=1 pi > N. Figure 3 illustrates the exponential decreasing of the error probability of the progressive veriﬁcation procedure for 2048-bit RSA modulus (i.e. λ = 2048) and 12-bits prime numbers (i.e. µ = 12).

3.4. Complexity, Implementation and Performances Using naive modular arithmetic, namely multiplication and division modulo N with quadratic binary complexity (with no special tricks like Fast Fourier Transform), the binary complexity of the RSA-FDH.Verify algorithm is O(log(e)· λ2). The algorithm Progressive-RSA(µ).ProgVerify has improved binary complexity O(log(e) · λ · µ) (since modular reduction of an n-bit integer by an m-bit integer requires O(mn) binary operations, see [12]). The proposed variant of the RSA signature scheme was implemented in order to validate its efficiency in practice. The implementation was done in C language using the GMP BIGNUM Library [30]. The scheme was tested with the public key e = 216 + 1, which is a common choice in practice, and a good candidate to evaluate the performance of the progressive verification, with respect to the increase in the signature size. The results for RSA-2048 and RSA- 4096 are given in Table 1. The desired upper bound on the error probability for the modified scheme has been fixed to 2−60, and different number of generated primes with different sizes have been tested accordingly to illustrate the trade-off discussed in 3.2. The verification modulo each prime was done independently in parallel. The progressive verification scheme shows faster execution when choosing higher number of primes, with smaller sizes. This behavior is normal since the reduction operation is less costly when the size of the prime decreases. In fact, the fastest verification is achieved when choosing four primes of 26 bits in the case of the modified RSA-2048, and four primes of 27 bits in the case of RSA-4096. It can also be observed that the verification process of the modified RSA scheme is clearly faster than the classical one. The verification time for either a valid or an invalid signature is the same with the latter for both RSA- 2048 and RSA-4096, since the entire exponentiation of σe mod N have to be executed in order to validate the signature. Meanwhile, the verification for the valid signature is twice (resp. four times) faster in the case of progressive RSA- 2048 (resp. RSA-4096). An invalid signature was constructed by injecting one single incorrect equation in a valid signature, and then randomly choosing the order of the equations to verify. An invalid signature is clearly detected faster with the progressive verification. On average, an invalid input is detected four times faster in the case of progressive RSA-2048 verification, and eight times faster for RSA-4096. This shows that the increase in the signature size leads to a much faster verification process for RSA signatures.

Remark 2. In order to further improve the efficiency of our scheme, we considered to choose the prime numbers in the proposed RSA signature scheme, to be so-called pseudo-Mersenne primes [48], which offer faster modular reduc- tions. However, this did not lead to an interesting improvement in the efficiency/security trade-off (since these special prime numbers are more rare and the error probability is significantly higher).

15 Signature Veriﬁcation Time (in ms) (Number, Size) of Size (in kB) Valid Invalid primes Veriﬁcation modulo N RSA-2048 0.256 0.0291 (|N| = 2048) 0.0155 0.0073 (1, 71) Proposed 0.0139 0.0066 (2, 41) 8.704 RSA-2048 0.0133 0.0064 (3, 31) 0.0130 0.0064 (4, 26)

Veriﬁcation modulo N RSA-4096 0.512 0.0873 (|N| = 4096) 0.0228 0.0087 (1, 72) Proposed 0.0182 0.0082 (2, 42) 17.408 RSA-4096 0.0179 0.0081 (3, 32) 0.0177 0.0080 (4, 27)

Table 1: Performance of the progressive verification process, compared to the basic verification, in the cases of both valid and invalid signatures, for RSA-2048 and RSA- 4096. The desired upper bound on the error probability has been fixed to 2−60.

4. ECDSA Signatures

4.1. Elliptic Curves and ECDSA Signatures The main advantage of elliptic curve cryptosystems stems from the absence of a sub-exponential-time algorithm to compute discrete logarithms on general elliptic curves over finite fields. Consequently, one can use an elliptic curve group that is smaller in size compared with systems in the multiplicative group of a finite field but the arithmetic of the underlying group is more tedious. Let K be a field. Consider an elliptic curve E(K) defined over K. E(K) has the following generalized Weierstrass equation :

2 3 2 y + a1xy + a3y = x + a2x + a4x + a6 (5) where a1, a2, a3, a4, a5, a6 ∈ K. For simplicity of notations and description of the ECDSA signature and the proposed fast verification scheme, we will consider8 K = Zp of characteristic p > 3 a prime. Then, E(Zp) admits a model using the short Weierstrass form : y2 = x3 + ax + b (6) 3 2 where a, b ∈ Zp and −16(4a + 27b ) 6= 0 mod p. Recently, a lot of work has been devoted to the study of alternative models of elliptic curves that could admit more efficient arithmetic (see [8] for an encyclopedic overview of these models). In this work, we consider only the (affine and projective Jacobian) Weierstrass model.

8 Note that the proposed scheme would still apply for K of characteristic 2 or 3, changing only the form of the Weierstrass equation.

16 When speaking about point addition and doubling over elliptic curves, an estimate of their complexities will be discussed in number of basic field operations. In the next sections, the multiplication (resp. inversion) operation over the considered field K, will be denoted by the symbol M (resp. I). We recall the description of the ECDSA signature scheme [38]. It achieves EUF-CMA-security in the generic group model and its security is related to the difficulty of the discrete logarithm problem. Our description involves a security parameter λ ∈ N (following Definition 1); this integer λ represents the bit-size of the underlying finite field but not actually the security level of the signature scheme. To achieve a security level of κ security bits, we must choose λ ≈ 2κ to prevent the best known attacks. The ECDSA signature scheme consists of the following procedures: • KeyGen(1λ): Generate a prime p of bit-length λ uniformly at random. Define an elliptic curve E(Zp), along with a point G ∈ E, of prime order n (with n also of bit-length λ). Then, choose d ∈ Zn uniformly at random, and calculate the point Q = dG. The verification key is vk = (p, E(Zp), G, Q, H) where H is a cryptographic hash function H : ∗ λ {0, 1} → {0, 1} , while the signing key is sk = (p, E(Zp), G, d, H).

• Sign(sk, m): The signer chooses a secret k ∈ Zn uniformly at random, then calculates the point (x1, y1) = kG, and r = x1 mod n. He repeats the whole process until r 6= 0. Next, the signer computes s = k−1(H(m) + rd) mod n and repeats the signing process from the beginning until s 6= 0. The signature of the message m is the pair σ = (r, s). • Verify(vk, m, σ): To verify a signature pair σ = (r, s) of a message m for vk, the veriﬁer ﬁrst checks that Q 6= O, and 0 < r, s < n. He then computes −1 the point R = (x, y) = u1G + u2Q, where u1 = H(m)s mod n and −1 u2 = rs mod n. He accepts the signature if and only if (x, y) 6= O and r = x mod n.

4.2. ECDSA Variant with Fast Verification In this section, we propose a variant of ECDSA signatures that produces longer signatures but allows faster deterministic verification. The idea behind our proposed verification scheme of ECDSA is to speedup the double exponentiation algorithm of u1G+u2Q, by using the point doubling and adding algorithms with classical affine coordinates, while delegating all the inverse computations to the signer, and verifying their values during the process.

4.2.1. Description of the Scheme We consider the group law deﬁned on the aﬃne Weierstrass model (6). In this case, the double of a point P = (xP , yP ) is the point 2P = (x2P , y2P ), where: 2 3xP + a 2 λ0 = , x2P = λ0 − 2xP , y2P = (xP − x2P )λ0 − yP 2yP

17 while the sum of two points P = (xP , yP ) and V = (xV , yV ) in E(Zp)\{O} is S = P + V = (xS, yS), where :

yV − yP 2 λ1 = , xS = λ1 − xV − xP , yS = (xP − xS)λ1 − yP xV − xP Thus, the doubling (resp. adding) operation costs 2S+2M+1I (resp. 1S+2M+1I). A useful trick introduced in [18] can also be used when the point T = 2P +V = (xT , yT ) needs to be computed, by writing T = P + (P + V ) = P + S. Using the following identity :

yS − yP ((xP − xS)λ1 − yP ) − yP 2yP λ2 = = = − λ1 xS − xP xS − xP xP − xS we have :

2 xT = λ2 − xP − xS, yT = (xP − xT )λ2 − yP

The authors from [18] suggest that the intermediate computation of yS can thus be omitted, leaving a total of 2S+3M+2I for a double-and-add operation. During the double exponentiation algorithm, the simple add operation never occurs. There is one double and one or no add at each iteration.

Computing λ0, λ1 or λ2 involves an inverse computation in Zp which is usually too costly to perform for fast signature verification. For this reason, alternative models are often preferable to the affine Weierstrass model. In our scheme, we deport the computation of these inverses to the signer that would append the values of λ0, λ1 and λ2 when needed for each step of the “double- and-add” exponentiation algorithm. There are λ iterations in this algorithm: if the iteration includes a simple double, the signer would join the associated value of λ0 to the signature; if it includes a double-and-add operation, the signer would associate the values of λ1 and λ2. During the verification process, each inversion is then replaced by a value check, adding no extra operations compared to the original scheme, and speeding up the process but with an increase in the signature size. For example, if the operation is a point addition, the signer would join the value of λ1, and the verifier would check that

λ1(xV − xP ) = (yV − yP )

If this condition is verified, then the verifier can immediately use the value of λ1. This means that the operations 1I+1M for computing λ1 in the original scheme, are replaced by only 1M for checking its value. Table 2 compares the operation count for doubling and adding points on elliptic curves over Zp, with both affine and Jacobian projective coordinates, using the best operation count for the short Weierstrass form. We assume that S=1M, and that the double-and-add operation with Jacobian projective coordinates is done by a simple double followed by a simple add. Compared to the operation count with projective coordinates, which are the coordinates usually used in practice to

18 Operation Count Type of Coordinates Double Add Double & Add Aﬃne 4M+1I 3M+1I 5M+2I Aﬃne with Provided Inverses 4M 3M 5M Projective Jacobian 9M 16M 25M

Table 2: Operation count for double, add and double-and-add operations for elliptic curve of short Weierstrass form, assuming that S=1M. avoid inversions, the proposed variant clearly oﬀers a speedup of almost 2 for doubling a point, and of 5 for doubling-and-adding. Thus, it is more interesting during the double exponentiation algorithm to have as many iterations with double-and-add instead of a simple double as possible, to increase the speed of the computation. For that, we use another trick proposed in [2], that allows to reduce the number of iterations in half, while making the double-and-add operation more frequent during the execution. Consider the equation :

u1G + u2Q = R (7) where u1 and u2 are of size λ. One can use the Euclidean algorithm as in [2], to −1 √ write u2 = u21u22 mod n, with |u21|, |u22| < n (i.e. u21 and u22 are integers with bit-length at most λ/2). Equation (7) can then be rewritten :

u1u22G + u21Q − u22R = O (8)

bλ/2c Then, one can write u1 = u112 + u12 with a simple Euclidean division of bλ/2c u1 by 2 . We can ﬁnally write (7) as :

µ0G + µ1G0 + u21Q − u22R = O (9)

bλ/2c where G0 = 2 G, µ0 = u12u22, µ1 = u11u22, and the bit-length of µ0, µ1, u21 and u22 is at most λ/2. This transforms the double exponentiation algorithm, into a quadruple exponentiation with only half the number of iterations of the double exponentiation. In addition, simple double operation will be much less frequent in the case of the quadruple exponentiation, making the speedup with our proposed method be more present with the double-and-add operation. In the best case scenario, where the number of simple double operations is negligible, one would expect a total speedup of factor almost 9 or 10 over the use of projective coordinates as shown in Table 2.

4.2.2. Implementation and Performances To evaluate the performance of the proposed verification algorithm, the ECDSA signature scheme implemented in OpenSSL [51] was used. Some mod- ifications were added to the key generation and signing processes, and a new verification process using the OpenSSL BIGNUM library was coded and compared to the classic double exponentiation verification algorithm, and the wNAF

19 Signature Veriﬁcation Time (in ms) Size (in kb) Valid Invalid OpenSSL wNAF 0.064 1.81 1.81 Double 0.064 2.65 2.65 exponentiation Proposed variant 8.352 0.30 0.23

Table 3: Performance of the proposed progressive verification process, compared to the basic verification, in the cases of both valid and invalid signatures, for ECDSA-256 in OpenSSL, for the curve E : y2 = x3 + 7. algorithm used by OpenSSL. Table 3 compares the execution time for the different procedures. It is clear that the proposed variant, while considerably increasing the size of the signature, offers a speedup in practice of almost 9 over the regular double exponentiation algorithm. It is also more efficient compared to the optimized version of the OpenSSL wNAF implementation, where a factor 6 of speedup is obtained. This shows a trade-off that can be offered, when the verification time is more critical than the signature size for the considered application.

Remark 3. The new scheme is less efficient than the EdDSA variant from [7] (which produces also shorter signatures) but it is generic and works over any prime finite field and we did not try to propose an optimized implementation. Remark 4. A verification time / signature length trade-off can be offered with the compression technique introduced in [13]. For a double-and-add operation, the values λ1 and λ2 can be compressed and added to the signature in a single value. Meanwhile, the number of multiplications required for the operation becomes roughly 11M. This means that the trade-off reduces the signature size by half, while allowing a decrease in the speedup factor from 5 to approximately 2.3.

4.3. ECDSA Variant with Progressive Verification Our trick of using affine coordinates and giving the inverses in the elliptic curve group law gives rise to a more efficient "progressive-verification" scheme for ECDSA. It uses the same technique than for RSA: for each arithmetic operation modulo p or modulo the group order, one provides the quotient of the Eu- clidean division and we check the equality of integers modulo some "small" prime number of bit-length µ. This increases even more the length of the signature but makes the verification algorithm progressive and faster. These digital signatures with progressive verification called Progressive-ECDSA(µ) are very similar to the Progressive-RSA signature scheme. The technique consists in checking all O(λ) equalities modulo τ distinct random prime numbers of bit-length µ; if one equality does not hold, the algorithm ProgVerify outputs ⊥ and if all equalities hold the τ prime numbers, it outputs the real α = 1 − (λ · 2−µ)τ . We leave the

20 details to the reader. We obtain readily the following security results (whose proofs follow mutatis mutandis the proofs from Proposition 1 and Theorem 1, respectively).

Proposition 2. Let t : N → N and : N → [0, 1] and A be a (t, )-EUF-CMA- adversary against Progressive-ECDSA. There exist B a (t0, )-EUF-CMA-adversary against ECDSA with 0 3 t (λ) = t(λ) + qSO(λ ) and qS denotes the number of queries made by A to its signing oracle. Theorem 2. Let µ ∈ N with µ > 5. The digital signature scheme with progressive verification Progressive-ECDSA(µ) is correct. Progressive-ECDSA(µ) produces signature size with size O(λ2) = O(κ2) (which are much longer than classical ECDSA signatures but still asymptotically shorter than RSA signatures that has bit-length Ω(κ3) for security level κ). The (deterministic) fast verification algorithm has complexity O(λ3) binary operations (similar to ECDSA signatures but with a better constant) and the progressive verification algorithm has complexity O(τ · λ2 · µ) binary operations (where the error probability of the verifier decreases exponentially with τ).

5. GPV Signatures and Variants

5.1. Lattices and GPV Signatures We ﬁrst start by providing a brief background on lattices that will be useful for the description of the GPV signature scheme. All details are not necessary to understand our scheme with progressive veriﬁcation but we provide them n×m for completeness. Let p ≥ 2 be some prime integer and let A ∈ Zp be a matrix formed of n linearly independent vectors denoted A = { ~a1, . . . , ~an} with m ~ai ∈ Zp . The m-dimensional lattice associated to A is:

m T n Λ(A) = {~x ∈ Zp : A s = ~x mod p for some s ∈ Zp }

⊥ m and its dual Λ (A) = {~e ∈ Zp : A~e = 0 mod p}. One usually considers n as the security parameter and p and m as functions of n, that is p = poly(n), m = poly(n). For any ~c ∈ Rn, s ∈ R, we deﬁne the discrete Gaussian distribution over Λ(A) as:

ρs,~c(~x) DΛ(A),s,~c(~x) = , for all ~x ∈ Λ(A) ρs,~c(Λ(A))

2 2 where ρs,~c(~x) = exp (−π k~x − ~ck /s ) is the Gaussian function centered at ~c n P with parameter s over R (and naturally ρs,~c(Λ(A)) = ~z∈Λ(A) ρs,~c(~z)). For a given basis A = { ~a1, . . . , ~an} of a lattice, the norm of the basis is deﬁned as kAk = max1≤i≤n k~aik where k~aik is the Euclidean norm of ~ai. A variety of hard problems have been studied on lattices, of which we focus on two, known as the Short Integer Solution (SIS) problem and the Inhomogeneous Short Integer Solution (ISIS) problem:

21 n×m Definition 4 (SISp,m,β). Given an integer p, a matrix A ∈ Zp , and a real β, the Short Integer Solution (SIS) problem with parameters (p, m, β) is to find ~e ∈ Λ⊥(A) such that kek ≤ β. n×m Definition 5 (ISISp,m,β). Given an integer p, a matrix A ∈ Zp , a vector n ~u ∈ Zp and a real β, the Inhomogeneous Short Integer Solution (ISIS) problem m with parameters (p, m, β) is to find ~e ∈ Zp such that A~e = ~u mod p and kek ≤ β. The GPV signature scheme [27] relies on the hardness of these problems on average, for chosen parameters (see [27, 3] for details). To construct the scheme, Gentry, Peikert and Vaikutanathan provided a tuple of of probabilistic polynomial-time algorithms (TrapGen, Sample, PreImageSample) that define a function fA : Dn → Rn (together with its domain Dn and range Rn) associated ⊥ to A with a “short” basis of Λ (A) as a trapdoor for inverting fA. These 1+ algorithms are parameterized√ by a bound L ≈ m for > 0, and a Gaussian parameter s ≥ L.ω( log m). In particular: • TrapGen(1n): Use a probabilistic algorithm to sample a matrix n×m A ∈ Zp from a close-to-uniform distribution, and find a short basis ⊥ T = {t~1,..., t~n} ⊂ Λ (A) with ||T˜ || ≤ L, where T˜ is the Gram-Schmidt orthogonalization of T (see [1] for details). The function fA(.) is then de- m √ n fined as fA(~e) = A~e mod p with Dn = {~e ∈ Zp : k~ek ≤ s m}, Rn = Zp and T is its trapdoor.

n m • Sample(1 ): Samples ~e ∈ Zp at random from the input distribution D m ~ conditioned by the output of fA(~e) for which the distribution is Zp ,s,0 uniform over Rn. −1 • PreImageSample(T , ~y): Samples from fA (~y) using the "good" trapdoor basis T to output ~e ∈ Dn, which means that ~e is a short vector.

Without the trapdoor, sampling a short element from Dn is hard. It is proven in √ [27] that these algorithms provide a one-way trapdoor function if ISISp,m,s m √ is hard. They are also collision resistant if SISp,m,2s m is hard.

λ • KeyGen(1 ): Given λ, it sets the parameter n = λ and m, p, s, Dn, Rn n×m and fA as deﬁned above for a pair (A, T ) where A ∈ Zp and T is the trapdoor, from TrapGen(1n). The veriﬁcation key is vk = (A, H) where H ∗ n is a cryptographic hash function H : {0, 1} → Zp , while the signing key is sk = (T , H).

n • Sign(sk, m): Compute ~y = H(m) ∈ Zp , and run PreImageSample(T , ~y) to get ~u ∈ Dn. Output the signature σ = ~u. n • Verify(vk, m, σ): Compute ~y = H(m)√∈ Zp , and return 1 if A~u = ~y mod p and ~u ∈ Dn (in other words kuk ≤ s m) and 0 otherwise. It is worth noting that since H is a hash function which output is uniformly dis- n n tributed over Zp . This ensures the condition stated in the procedure Sample(1 ), n where the output of fA(e) should be uniformly distributed over Rn = Zp .

22 5.2. GPV with Progressive Veriﬁcation As outlined in the paper introduction, our progressive variant of the GPV signature scheme denoted Progressive-GPV introduces the use of linear codes over Zp. For this reason, we consider in the following that p is a prime number. Let `, n ∈ N and δ ∈ [0, 1]. An (`, n, δ`) p-ary linear code C is a n-dimensional ` linear subspace of Zp in which the Hamming distance between each two distinct vectors (called codewords) is at least δ` (δ is called the relative distance of the 9 `×n code). For our purpose , a matrix G in Zp is a generator matrix of C if its columns space over Zp (i.e. the set of Zp-linear combinations of its columns) is equal to C. The ratio R = n/` is called the rate of C. The security analysis of the scheme will be detailed in Section 5.3. The progressive variant Progressive-GPV of the GPV signature scheme consists of the following three algorithms:

λ • KeyGen(1 ): Given λ, it sets the parameter n = λ and m, p, s, Dn, Rn n×m and fA as deﬁned above for a pair (A, T ) where A ∈ Zp and T is the trapdoor, from TrapGen(1n). The algorithm also sets two parameters ` ∈ N with ` > n and δ ∈ [0, 1] and generate a (`, n, δ`) linear code with `×n 0 generator matrix G ∈ Zp . It sets A = G · A. The veriﬁcation key is vk = (A0, G, H) where H is a cryptographic hash function H : {0, 1}∗ → n Zp , while the signing key is sk = (T , H). n • Sign(sk, m): Compute ~y = H(m) ∈ Zp , and run PreImageSample(T , ~y) to get ~u ∈ Dn. Output the signature σ = ~u.

n • Verify(vk, m, σ): Compute ~y = H(m) ∈ Zp and set ~u = σ. Return 1 0 √ if A ~u = G~y mod p and ~u ∈ Dn (in other words kuk ≤ s m) and 0 otherwise. In this scheme, the signing algorithm and the signatures are not modified (compared to the original GPV scheme). The size of the public key is increased (from nm log(p) to `(n + m) log(p) bits) and the verification algorithm is slower than the verification algorithm of the GPV scheme (since it requires two matrix/vector multiplication instead of just one). However, the use of a “good” error-correcting code of generating matrix G allows fast progressive verification since a verifier can simply check the equality of random rows of A0~u and G~y n with ~y = H(m) ∈ Zp for a putative signature σ = ~u of a message m: • ProgVerify(vk, m, σ, τ): Given a putative signature σ of a message m for n vk, compute√ ~y = H(m) ∈ Zp , set ~u = σ and check that ~u ∈ Dn (i.e kuk ≤ s m). The algorithm picks uniformly at random τ distinct indices 0 j1, . . . , jτ in [`] and returns ⊥ if A ~u{ji}= 6 G~y{ji} mod p for some i ∈ [τ] and it returns α = 1 − (1 − δ)τ otherwise.

9Note that usually one considers a generator matrix as a matrix whose rows form a basis of the code, but using the columns makes the presentation simpler.

23 ` In this algorithm, for a vector ~v ∈ Zp and i ∈ [`], ~v{i} denotes the i-th coordinate 0 of ~v. In particular, for i ∈ [τ] computing A ~u{ji} is an inner-product over Zp of vectors of length n and computing G~y{ji} is an inner-product over Zp of vectors of length m. Note that the larger δ is, the more accurate the progressive veriﬁcation procedure, but the larger the public-key size .

5.3. Security Analysis The signatures output by Progressive-GPV are identical to those produces by GPV. Moreover, the algorithm Progressive-GPV.Verify accepts σ as a valid signature on m for vk if and only if we have GPV.Verify(vk, m, σ) = 1 (since G ∈ `×n Zp is of full-rank n). We thus obtain immediately the following proposition: Proposition 3. Let t : N → N and : N → [0, 1], be two functions and let A be (t, )-EUF-CMA-adversary against Progressive-GPV. There exist B a (t0, )- EUF-CMA-adversary against GPV with t0 = t.

Following the probabilistic analysis outlined in the introduction, we can show that the progressive veriﬁcation of Progressive-GPV is correct:

Theorem 3. The signature scheme with progressive verification Progressive-GPV is correct ( i.e. it returns ⊥ only for invalid signatures and if it returns a real number α ∈ [0, 1] on input (vk, m, σ, τ) then σ is not a signature of m for vk with probability at most 1 − α. Proof. Given a putative signature σ of a message m for vk, σ = ~u is valid if and 0 n only A ~u = G~y mod p where ~y = H(m) ∈ Zp . In other words, σ is valid if and only if G(A~u − ~y) = ~0 mod p. If σ is valid the all τ random rows checked during the run of ProgVerify(vk, m, σ, τ) are equal and ProgVerify(vk, m, σ, τ) does not return ⊥. Besides, if σ is not valid, at least one row out of the ` are not equal and we have G(A~u−~y) 6= ~0 mod p. By construction, G(A~u −~y) is a codeword in our error-correcting code of generator matrix G which is a (`, n, δ`) linear code. A non-zero codeword has Hamming weight (i.e. non-zero coordinates) at least δ · ` and thus there exists at least δ` 0 coordinates k1, . . . , kω in [`] for ω ≥ δ` such that A ~u{ki} 6= G~y{ki} mod p for i ∈ [ω]. The probability that each row index ji picked in ProgVerify does not belong to {k1, . . . , kω} is upper-bounded by (` − ω)/` ≤ (` − δ`)/` = (1 − δ) and therefore the probability that the τ row indices picked by ProgVerify does not belong to this set is upper-bounded by (1 − δ)τ . The probability that an invalid signature is not detected by the verification algorithm is upper-bounded by (1 − δ)τ and thus the real α = 1 − (1 − δ)τ output by the algorithm provides a correct confidence level for this signature scheme.

24 5.4. Complexity, Implementation and Performances The proposed scheme Progressive-GPV produces signature identical to those produced by the original GPV (with the same algorithm and the same computational complexity). The verification key in Progressive-GPV is larger since it consists of two-matrices over Zp instead of just one: the verification key size is `(n+m) log(p) instead of nm log(p) (with ` > n). For the progressive verification algorithm, the error probability decreases exponentially with τ the number of verifier steps as (1 − δ)τ . Its binary computational complexity of the algorithm is O(τ(n+m) log2(p)) (compared to O(nm log2(p)) for the original GPV scheme) and does not depend on `. It is therefore desirable to have an error-correcting code with ` as small as possible and δ as large as possible. Since we do not need any other specific property for our error-correcting (such as efficient decoding), we simply use random linear error-correcting codes which achieve the so-called Gilbert-Varshamov bound with overwhelming probability.

5.4.1. Random linear codes and Gilbert-Varshamov Bound The Gilbert-Varshamov bound for linear codes asserts the existence of p-ary linear codes for any relative minimum distance less than some given bound that simultaneously have high rate. Let Hp denote the p-ary entropy function:

Hp(x) = x logp(p − 1) − x logp x − (1 − x) logp(1 − x). We have the following result:

−1 Theorem 4 ([52, 28]). Let p > 2 be some prime number. For every 0 6 δ < 1 − p and 0 < ε 6 1 − Hp(δ), there exists a linear code with rate R > 1 − Hp(δ) − ε and relative distance at least δ. It is worth mentioning that the existence proof of this theorem uses the probabilistic method, and thus is not constructive. However, it can be made explicit in the sense that the probability that a random code over Zp with a given rate does not achieve the relative distance given by Theorem 4 is negligible:

Corollary 1 ([52]). Let p > 2 be some prime number. Let n, ` be two integers with ` > n and let δ ∈ [0, 1]. The probability that a code deﬁned by a generator `×n matrix G picked uniformly at random in Zp has relative distance smaller than δ is smaller than p−`(1−Hp(δ))+n.

5.4.2. Execution Time for Progressive-GPV In this paragraph, we consider implementation for GPV signatures for two parameters settings for GPV signatures taken from [3] (but using a prime value for p with similar size to the power of 2 considered in [3]). The ﬁrst instantiation provides a 78-bit security level (with a prime p with bit-length 27) while the second one provides a 128-bit security level (with a prime p with bit-length 30). Suppose we want an error-correcting code with rate R = 1/2. We use a `×n random generator matrix G ∈ Zp with ` = 2n (where n = 256 for the ﬁrst instantiation and n = 512 for the second instantiation). For δ = 0.45, we have

25 GPV Basic Progressive Security Code Configu- Verification δ Verification Level Rate ration Time (in ms) Time (in ms)

p ≈ 227, 1/2 0.45 12.505 n = 256, 78 bits 24.76 1/3 0.62 8.410 m = 7424 1/4 0.70 6.134

p ≈ 230, 1/2 0.45 19.054 n = 512, 108 bits 83.203 1/3 0.62 13.313 m = 16384 1/4 0.70 9.898

Table 4: Progressive Verification configuration and execution time on GPV signature Scheme, using a randomly generated (`, n, δ`) linear code. The error bound for the verification is fixed at 2−96. The verification is simulated using the MPFQ Finite Fields Library [26].

in both cases Hp(δ) < 0.487 and thus the probability given by Corollary 1 is upper-bounded by p−`(1−Hp(δ))+n = p−n(1−2Hp(δ)) ≤ p−0.026n < 2−179. We can therefore safely assume that our random matrix generates a code with relative distance at least δ = 0.45 even if there is no efficient way to check that this is indeed the case. Formally, in our security analysis, we have to add this small probability to the error probability in the progressive verification decision procedure. We also consider smaller rates R = 1/3 and R = 1/4 that increase the size of the verification key but ensures that we have a code with the large relative distance with overwhelming probability (namely δ ≥ 0.24 and δ ≥ 0.29 respectively). As proved above, the error probability of the progressive verification algorithm decreases as δτ where τ is the number of random rows tested in the procedure. For the first case with rate R = 1/2 and p a prime number of bit-length 27, the time to check one row with our parameter is approximatively 0.112 ms using the MPFQ Finite Fields Library [26]. By checking 38 rows in time 4.26 ms, we have an error probability at most 2−32 and if one checks 112 rows (which makes the error probability as small as 2−96), the time verification is only 12.505 ms (compared to to 24.76 ms for the original verification of GPV for these parameters). Table 4 summarized our obtained results for the two instantiations and rates R ∈ {1/4, 1/3, 1/2}.

Remark 5. A possible approach to limit the public-key size increase in our scheme is to use a matrix G with some structure in order to compress it. For instance, one can use cyclic random linear codes or quasi-cyclic random linear codes. Bounds similar to the Gilbert-Varshamov bound are known for such codes (see [25] for instance) for p large enough (and with some specific arithmetical properties). This allows to compress the verification key (but at the cost of reducing the proven relative distance and thus the verification efficiency).

26 5.5. Wave Signatures and Progressive Verification 5.5.1. Brief description Recently, Debris-Alazard, Sendrier and Tillich [16] presented an efficient code-based signature scheme called Wave. We do not describe their nice scheme in details but rather refer to [16] for details. As GPV signatures, Wave is based on a family of trapdoor one-way preimage sampleable functions f; the message to be signed is hashed to produce a random element in the domain of f and the signer uses the trapdoor to compute a pre-image of this element. Debris- Alazard et al. proposed a code-based one way trapdoor function that meets the preimage sampleable property (in a slighty relaxed way). Instead of a short basis of the lattice considered in the construction as in GPV, their trapdoor consists in choosing parity-check matrices of specific error-correcting codes over the ternary field F3. For our purposes, it is sufficient to know that the verification algorithm of Wave consists of a single matrix/vector multiplication and a check that the result matches the hash value of the message (and some given random salt). The underlying finite field in Z3 and we can use our progressive verification technique even on this small finite field (but a smaller relative distance).

5.5.2. Execution Time for Progressive-Wave Debris-Alazard et al. proposed several parameters and an efficient implementation and we include our progressive verification algorithm to their implementation. For a 96-bit security level, using the same notation as above the matrix used in the (deterministic) verification algorithm is n×m with n = 2165 and m = 4203. For a rate R = 1/2, since p = 3, we cannot obtain a very large relative distance for our random linear code, but with δ = 0.15, we have H3(δ) ≤ 0.48 and the probability given by Corollary 1 is upper-bounded by p−`(1−Hp(δ))+n = 3−n(1−2Hp(δ)) ≤ 3−0.04n < 2−137. We can therefore again safely assume that our random matrix generates a code with relative distance at least δ = 0.15. Table 5 shows the execution time of the basic and progressive verification schemes. As for GPV, we present timings for a full progressive verification that makes the error probability smaller than 2−96.

6. Conclusion and Open Problems

We revisited the concepts of progressive verification and flexible signatures. We proposed efficient probabilistic verification procedures for RSA, ECDSA, GPV and Wave digital signatures in which the error probability of a verifier decreases exponentially with the verifier running time. Our proposed scheme for ECDSA increases significantly the signature size; an interesting open problem is to propose a scheme with efficient progressive verification where this size is only increased by some constant factor (or prove that none exists). It also remains open to design such verification procedures for pairing-based signature schemes such as [10] or [9]. It may be possible to adapt the techniques proposed in this article for pairing computation, for instance by

27 Wave Basic Progressive Security Code Configu- Verification δ Verification Level Rate ration Time (in ms) Time (in ms)

q = 3, 1/2 0.15 0.424 n = 2165, 96 bits 1.416 1/3 0.24 0.291 m = 4203 1/4 0.29 0.223

q = 3, 1/2 0.15 0.615 n = 2887, 128 bits 2.614 1/3 0.24 0.375 m = 5605 1/4 0.29 0.294

Table 5: Progressive Verification configuration and execution time for the Wave signature Scheme, using a randomly generated (`, n, δ`) linear code. The error bound for the verification is fixed at 2−96. appending to the signatures the coefficients arising in the lines and tangent computation of the Miller functions (as it has been done for pairing outsourcing for optimal Ate pairing on a Barreto-Naehrig curve in [31]). However this requires a specific efficiency analysis and new ideas are probably required to keep the signature length practical. Finally, since verification procedures are involved in most cryptographic primitives, it is interesting to see if our techniques permit improvement in other settings (e.g. for commitment schemes, or proof systems).

References

[1] Miklós Ajtai. Generating hard instances of the short basis problem. In In- ternational Colloquium on Automata, Languages, and Programming, pages 1–9. Springer, 1999. [2] Adrian Antipa, Daniel R. L. Brown, Robert Gallant, Rob Lambert, René Struik, and Scott A. Vanstone. Accelerated verification of ECDSA signatures. In Bart Preneel and Stafford Tavares, editors, SAC 2005, volume 3897 of LNCS, pages 307–318. Springer, Heidelberg, August 2006. [3] Rachid El Bansarkhani and Johannes Buchmann. Improvement and efficient implementation of a lattice-based signature scheme. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 48–67. Springer, Heidelberg, August 2014. [4] Mihir Bellare, Juan A. Garay, and Tal Rabin. Batch verification with applications to cryptography and checking. In Claudio L. Lucchesi and Arnaldo V. Moura, editors, LATIN 1998, volume 1380 of LNCS, pages 170–191. Springer, Heidelberg, April 1998. [5] Mihir Bellare and Phillip Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Ueli M. Maurer, editor, EURO- CRYPT’96, volume 1070 of LNCS, pages 399–416. Springer, Heidelberg, May 1996.

28 [6] Daniel J. Bernstein. A secure public-key signature system with extremely fast veriﬁcation. unpublished, available at https://cr.yp.to/papers/ sigs.pdf, 2000. [7] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. High-speed high-security signatures. J. Cryptographic Engineering, 2(2):77–89, 2012.

[8] Daniel J. Bernstein and Tanja Lange. Explicit-formulas database. http: //www.hyperelliptic.org/EFD, download date: 2019-12-10. [9] Dan Boneh and Xavier Boyen. Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology, 21(2):149– 177, April 2008. [10] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the Weil pairing. Journal of Cryptology, 17(4):297–319, September 2004. [11] Cecilia Boschini, Dario Fiore, and Elena Pagnin. On the efficiency and flex- ibility of signature verifications formal model and realizations from lattices. (in submission), 2020.

[12] Richard Brent and Paul Zimmermann. Modern Computer Arithmetic. Cambridge University Press, New York, NY, USA, 2010.

[13] Mathieu Ciet, Marc Joye, Kristin Lauter, and Peter L Montgomery. Trad- ing inversions for multiplications in elliptic curve cryptography. Designs, codes and cryptography, 39(2):189–206, 2006. [14] Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur., 3(3):161–185, 2000. [15] Ch. J. de la Vallée Poussin. Recherches analytiques sur la théorie des nombres premiers. Brux. S. sc. 21 B, 183-256, 281-362, 363-397, 1896. [16] Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich. Wave: A new family of trapdoor one-way preimage sampleable functions based on codes. In Steven D. Galbraith and Shiho Moriai, editors, Advances in Cryp- tology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, De- cember 8-12, 2019, Proceedings, volume to appear of Lecture Notes in Com- puter Science. Springer, 2019. [17] Pierre Dusart. Autour de la fonction qui compte le nombre de nombres premiers. PhD thesis, Université de Limoges, 1998. [18] Kirsten Eisenträger, Kristin Lauter, and Peter L. Montgomery. Fast elliptic curve arithmetic and improved Weil pairing evaluation. In Marc Joye, editor, CT-RSA 2003, volume 2612 of LNCS, pages 343–354. Springer, Heidelberg, April 2003.

29 [19] Uriel Feige, Amos Fiat, and Adi Shamir. Zero-knowledge proofs of identity. Journal of Cryptology, 1(2):77–94, June 1988. [20] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identiﬁcation and signature problems. In Andrew M. Odlyzko, editor, CRYPTO’86, volume 263 of LNCS, pages 186–194. Springer, Heidelberg, August 1987. [21] Marc Fischlin. Progressive veriﬁcation: The case of message authentication: (extended abstract). In Thomas Johansson and Subhamoy Maitra, editors, INDOCRYPT 2003, volume 2904 of LNCS, pages 416–429. Springer, Hei- delberg, December 2003.

[22] Marc Fischlin. Fast veriﬁcation of hash chains. In Tatsuaki Okamoto, editor, CT-RSA 2004, volume 2964 of LNCS, pages 339–352. Springer, Heidelberg, February 2004. [23] Cody Freitag, Rishab Goyal, Susan Hohenberger, Venkata Koppula, Eysa Lee, Tatsuaki Okamoto, Jordan Tran, and Brent Waters. Signature schemes with randomized veriﬁcation. In Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi, editors, ACNS 17, volume 10355 of LNCS, pages 373– 389. Springer, Heidelberg, July 2017. [24] Rusins Freivalds. Probabilistic machines can use less running time. In Bruce Gilchrist, editor, Information Processing, Proceedings of the 7th IFIP Congress 1977, Toronto, Canada, August 8-12, 1977, pages 839–842. North-Holland, 1977. [25] Philippe Gaborit and Gilles Zémor. Asymptotic improvement of the Gilbert-Varshamov bound for linear codes. IEEE Trans. Information The- ory, 54(9):3865–3872, 2008. [26] Pierrick Gaudry and Emmanuel Thomé. The MPFQ library and imple- menting curve-based key exchanges, 2007. [27] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages 197–206. ACM Press, May 2008.

[28] E. N. Gilbert. A comparison of signalling alphabets. The Bell System Technical Journal, 31(3):504–522, 1952. [29] Marc Girault and David Lefranc. Server-aided veriﬁcation: Theory and practice. In Bimal K. Roy, editor, ASIACRYPT 2005, volume 3788 of LNCS, pages 605–623. Springer, Heidelberg, December 2005. [30] Torbjörn Granlund and et al. GNU multiple precision arithmetic library 4.1.2, December 2002. http://swox.com/gmp/.

30 [31] Aurore Guillevic and Damien Vergnaud. Algorithms for outsourcing pairing computation. In Marc Joye and Amir Moradi, editors, Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers, volume 8968 of Lecture Notes in Computer Science, pages 193–211. Springer, 2014. [32] Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol ﬁtted to security microprocessor minimizing both trasmission and memory. In C. G. Günther, editor, EUROCRYPT’88, volume 330 of LNCS, pages 123–128. Springer, Heidelberg, May 1988. [33] J. Hadamard. Sur la distribution des zéros de la fonction ζ(s) et ses con- séquences arithmétiques. Bull. Soc. Math. Fr., 24:199–220, 1896. [34] Gene Itkis and Leonid Reyzin. Forward-secure signatures with optimal signing and verifying. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 332–354. Springer, Heidelberg, August 2001.

[35] M. Jakobsson. Fractal hash sequence representation and traversal. In Pro- ceedings IEEE International Symposium on Information Theory,, page 437, 2002. [36] Markus Jakobsson. Fractal hash sequence representation and traversal. Cryptology ePrint Archive, Report 2002/001, 2002. http://eprint.iacr. org/2002/001. [37] Markus Jakobsson, Frank Thomson Leighton, Silvio Micali, and Michael Szydlo. Fractal Merkle tree representation and traversal. In Marc Joye, editor, CT-RSA 2003, volume 2612 of LNCS, pages 314–326. Springer, Heidelberg, April 2003.

[38] Don Johnson, Alfred Menezes, and Scott A. Vanstone. The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec., 1(1):36–63, 2001. [39] Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa. Concurrently secure identiﬁcation schemes based on the worst-case hardness of lattice problems. In Josef Pieprzyk, editor, ASIACRYPT 2008, volume 5350 of LNCS, pages 372–389. Springer, Heidelberg, December 2008. [40] Leslie Lamport. Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Labo- ratory, October 1979. [41] Duc Viet Le, Mahimna Kelkar, and Aniket Kate. Flexible signatures: Mak- ing authentication suitable for real-time environments. In Kazue Sako, Steve Schneider, and Peter Y. A. Ryan, editors, ESORICS 2019, Part I, volume 11735 of LNCS, pages 173–193. Springer, Heidelberg, September 2019.

31 [42] Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 738–755. Springer, Heidelberg, April 2012. [43] Ralph C. Merkle. A certiﬁed digital signature. In Gilles Brassard, editor, CRYPTO’89, volume 435 of LNCS, pages 218–238. Springer, Heidelberg, August 1990. [44] Albrecht Petzoldt, Ming-Shing Chen, Bo-Yin Yang, Chengdong Tao, and Jintai Ding. Design principles for HFEv-based multivariate signature schemes. In Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part I, volume 9452 of LNCS, pages 311–334. Springer, Heidelberg, Novem- ber / December 2015. [45] Jean-Jacques Quisquater and Marijke De Soete. Speeding up smart card RSA computation with insecure coprosessors. In Proceeding of Smart Cards 2000, pages 191–197, 1989. [46] Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key iden- tiﬁcation schemes based on multivariate quadratic polynomials. In Phillip Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 706–723. Springer, Heidelberg, August 2011.

[47] Claus-Peter Schnorr. Eﬃcient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, January 1991. [48] Jerome A. Solinas. Pseudo-Mersenne prime. In Henk C. A. van Tilborg, editor, Encyclopedia of Cryptography and Security. Springer, 2005. [49] Jacques Stern. A new identiﬁcation scheme based on syndrome decoding. In Douglas R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 13–21. Springer, Heidelberg, August 1994.

[50] Jacques Stern. A new paradigm for public key identification. IEEE Trans. Information Theory, 42(6):1757–1768, 1996. [51] The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. www.openssl.org, April 2003. [52] R. R. Varshamov. Estimate of the number of signals in error correcting codes) (Russian, Р. Р. Варшамов – Оценка числа сигналов в кодах с коррекцией ошибок). Dokl. Akad. Nauk SSSR, 117:739–741, 1957. [53] David Wagner. Shortcut digital signature verification failure. The Cryp- tography Mailing List, June, 22nd 2002. [54] Virginia Vassilevska Williams. Multiplying matrices faster than coppersmith-winograd. In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC, pages 887–898. ACM Press, May 2012.